Need help - upgrading openssl version from 3.0.12 to 3.2.x version

Prasad, PCRaghavendra Pcraghavendra.Prasad at dell.com
Thu Feb 29 06:45:12 UTC 2024


Thanks, Tomaz for the information this helps

One more doubt is there any place where I can see the difference between older version to the newer version

Ex: from 3.0.12 to 3.2.x specific updates

Thanks,

-----Original Message-----
From: Tomas Mraz <tomas at openssl.org> 
Sent: Tuesday, February 27, 2024 1:14 PM
To: Prasad, PCRaghavendra; Wall, Stephen; openssl-users at openssl.org
Subject: Re: Need help - upgrading openssl version from 3.0.12 to 3.2.x version


[EXTERNAL EMAIL] 

For FIPS compliance you definitely need to use the validated version of a FIPS provider. Please see the instructions here [1] on how to combine the latest release with a validated FIPS provider version.

[1] https://urldefense.com/v3/__https://github.com/openssl/openssl/blob/master/README-FIPS.md__;!!LpKI!jLMp7kblHEfwy_-l1pml2BUrIGyDrS0buy7NkQJ9AnH48CNuu5pkshNIHT4nJ8wBN0wuiDin47HZyuaShgEZPQ$ [github[.]com]

Tomas Mraz, OpenSSL

On Tue, 2024-02-27 at 05:55 +0000, Prasad, PCRaghavendra wrote:
> Thanks, Tomas,
> 
> So we can use OpenSSL 3.2.0 and enable fips during the build step and 
> get the fips.so
> 
> OR
>  
> we should take the OpenSSL 3.2.0 code and then take the FIPS provider 
> from the OpenSSL 3.0.8 or 3.0.9 and build, then get the fips.so, 
> fipsmodule.cnf and combine with OpenSSL 3.2.0
> 
> Thanks,
> Raghu
> 
> -----Original Message-----
> From: openssl-users <openssl-users-bounces at openssl.org> On Behalf Of 
> Tomas Mraz
> Sent: Tuesday, February 27, 2024 9:05 AM
> To: Wall, Stephen; openssl-users at openssl.org
> Subject: Re: Need help - upgrading openssl version from 3.0.12 to 
> 3.2.x version
> 
> 
> [EXTERNAL EMAIL]
> 
> On Mon, 2024-02-26 at 22:38 +0000, Wall, Stephen wrote:
> > > Please note that we actually test running the 3.0.8 and 3.0.9 
> > > validated versions of the FIPS provider with the 3.2 OpenSSL in 
> > > the CI and it works. We are not aware of any problems with running 
> > > the validated versions of the FIPS provider with the current 
> > > OpenSSL versions.
> > 
> > OK, so 
> > https://urldefense.com/v3/__https://github.com/openssl/openssl/issues/
> > 23400__;!!LpKI!m4FTaZF0-kz3NQm8Y9WvC4n233dgbq01QmEc_C-
> > 2XrCWwWFFRtkaMjD
> > i6t8tcws2hmT529ayVVlzqPunWH8qZw$ [github[.]com] doesn't actually
> > prevent OpenSSL from working, it's just an issue with `openssl
> > fipsinstall`.  I hadn't followed it closely enough, just briefly
> > saw some some messages go past.
> 
> Yeah, that issue is not really preventing the 3.0.x FIPS provider
> working with subsequent OpenSSL releases. It's just a matter of a
> minor FIPS compliance issue. (Depending on different views it might
> matter for the FIPS compliance or not.)
> 
> > Good to know.  Will the same apply to the 140-3 module and OpenSSL 
> > 3.2?
> 
> Yes, that is and always was the intention. The FIPS provider is built
> in a way that it can be used with any other version and the same
> applies to third party providers.
> 
> --
> Tomáš Mráz, OpenSSL
> 

-- 
Tomáš Mráz, OpenSSL



More information about the openssl-users mailing list